Law Firm Data Breach Could Be Panama Papers 2.0

In April, 2016, over 11 million confidential files, taken during a data breach at the Panamanian law firm Mossack Fonseca, were leaked to the press. These “Panama Papers” revealed the Byzantine complex of shell corporations that global elites used to hide their wealth, evade taxes, and avoid international sanctions—and they put in stark relief the stakes involved in law firm information security.

And while the Panama Papers leak brought down several world leaders, Mossack Fonseca is still around—and it may have some new company in the “devastating-law-firm-hack-reveals-shady-legal-dealings” club.

On Thursday, Appleby, a major offshore law firm based in Bermuda, confirmed that client data was breached last year. That information was then leaked to the International Consortium of Investigative Journalists, the same body that broke the Panama Papers leak.

The firm, which has offices across several offshore tax havens, from the Cayman Islands to the Isle of Man, specializes in advising some of the world’s wealthiest individuals, as well as major companies. In a statement, the firm said that it had suffered a “data security incident.” The firm continued:

We are an offshore law firm who advises clients on legitimate and lawful ways to conduct their business. We do not tolerate illegal behaviour. It is true that we are not infallible. Where we find that mistakes have happened we act quickly to put things right and we make the necessary notifications to the relevant authorities.

Accusations of wrongdoing were “unfounded,” the firm said, while criticizing the press for relying on documents that were illegally obtained.

Appleby says it has brought in “a leading IT Forensics team” to investigate the breach and is confident that “our data integrity is secure”—now, at least.

Potential Fallout

The documents revealed by Appleby’s leak have not been made publicly available and their contents have yet to be reported. But the key word here is yet. Many of the firm’s clients are bracing themselves for the revelation of information they would much prefer to keep secret.

When that information is revealed, it could have significant repercussions. In the wake of the Panama Papers breach, for example, governments across the world opened up investigations into the shell companies and legal strategies used by the law firm and its clients. Iceland’s Prime Minister Sigurdur Ingi Johannsson resigned just days after the leak, which revealed an offshore company he and his wife created in the British Virgin Islands. This July, Mian Muhammad Nawaz Sharif resigned as Prime Minister of Pakistan after the country’s Supreme Court ruled that he was not fit for office. That ruling came after the Panama Papers revealed the Sharif family’s great accumulation of hidden wealth and the resulting scandal which, curiously, turned on certain documents’ use of Microsoft’s Calibri font.

It’s unclear whether the Appleby breach will lead to similar revelations, but news of the leak is causing a panic among the firm’s customers, according to the Telegraph, who reports that some of the world’s richest people “were instructing lawyers and public relations companies in an effort to protect their reputations.”

Of course, Appleby and Mossack Fonseca are not the only firms to have suffered a data breach, though their breaches may be the most consequential so far. Some of the most prestigious U.S. law firms have fallen victims to cyberattacks, including Cravath and Weil Gotshal. The DOJ has also accused a group of Chinese nationals of trading on insider information hacked from major law firms as part of a scheme that netted $4 million in illegal profits. And, of course, DLA Piper suffered a major ransomware attack this summer. That event apparently did not result in the release of client data, but it did shut the firm down for days, at a likely cost of millions of dollars a day.

The Appleby Hack and eDiscovery

It’s unclear at this point just how Appleby’s information was breached, but there is no question that hackers are increasingly targeting law firms. This is true whether the breaches are caused by public-minded “hacktivists” or nefarious cybercriminals. The discovery process, in particular, presents an enticing target. At the outset of the discovery process, data is collected on the client side, often with minimal removal of sensitive information. Broad collection means that a discovery repository or litigation database is full of highly sensitive data—data that’s been flagged for litigation but not yet culled of confidential material. It is the perfect target for hackers.

There are eDiscovery connections here beyond just the risks of breaches, as well. Discovery is, after all, the process of “excavating the forensic landscape of what happened,” as Magistrate Judge Laurel Beeler once phrased it, discovery tools have played a major role in making sense of documents post-breach. As Gregory Bufithis notes in a must-read blog post on the Panama Papers and the likely assassination of Maltese journalist Daphne Caruana Galizia just two weeks ago, discovery solutions are becoming increasingly important tools in helping journalists sift through enormous amounts of data, giving rise to “data journalism”:

But much of the credit for the birth of data journalism lies outside of the news industry: often overlooked in histories of the form is the work of civic coders and information activists (in particular MySociety which was opening up political data and working with news organisations well before the term data journalism was coined), and technology companies (the APIs and tools of Yahoo! for example formed the basis of much of data journalism’s early experiments).

And, of course … e-discovery software. Its use to support investigative reporting is now common because it allows journalists the ability to analyze large data sets quickly and accurately. More and more reporters are trawling documents – whether emails, text messages, or files – to uncover the stories within. This is much the same process attorneys go through while building a case. Finding key documents and weaving them into a story is what sophisticated e-discovery was designed for.

It’s too soon to say if the Appleby hack was a result of lack of security in the discovery process, or if journalists will unleash eDiscovery software to bring to light the information hidden in those hacked documents. But if Appleby’s breach does end up becoming “the Panama Papers 2.0,” the impact on attorneys, journalists, and, of course, the clients impacted, could be significant.